* [refpolicy] [PATCH/RFC 5/19]: patch set to update the git reference policy
@ 2011-01-24 0:44 Guido Trentalancia
2011-01-24 14:18 ` Dominick Grift
0 siblings, 1 reply; 2+ messages in thread
From: Guido Trentalancia @ 2011-01-24 0:44 UTC (permalink / raw)
To: refpolicy
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if
--- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
@@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
########################################
## <summary>
+## Allow mmap_file_perms on a shell
+## executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_file_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ allow $1 shell_exec_t:file mmap_file_perms;
+')
+
+########################################
+## <summary>
## Execute shells in the caller domain.
## </summary>
## <desc>
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-new/policy/modules/system/mount.if
--- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
@@ -51,6 +51,25 @@ interface(`mount_run',`
########################################
## <summary>
+## Get the attributes of mount
+## executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec_getattr',`
+ gen_require(`
+ type mount_exec_t;
+ ')
+
+ allow $1 mount_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-new/policy/modules/system/mount.te
--- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/mount.te 2011-01-23 20:46:59.057098397 +0100
@@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+ifdef(`distro_redhat',`
+ # needed by /sbin/mount.tmpfs bash script
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+')
+
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
@@ -51,12 +56,17 @@ kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+kernel_setsched(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts
+corecmd_mmap_file_exec_shell(mount_t)
+
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
@@ -65,6 +75,7 @@ dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+dev_read_usbfs(mount_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
@@ -108,6 +119,8 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH/RFC 5/19]: patch set to update the git reference policy
2011-01-24 0:44 [refpolicy] [PATCH/RFC 5/19]: patch set to update the git reference policy Guido Trentalancia
@ 2011-01-24 14:18 ` Dominick Grift
0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2011-01-24 14:18 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ## <summary>
> +## Allow mmap_file_perms on a shell
> +## executable.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + list_dirs_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> + allow $1 shell_exec_t:file mmap_file_perms;
> +')
listing bin_t directories is not strictly required to mmap shell_exec_t
files.
> +
> +########################################
> +## <summary>
> ## Execute shells in the caller domain.
> ## </summary>
> ## <desc>
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-new/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>
> ########################################
> ## <summary>
> +## Get the attributes of mount
> +## executable files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_exec_getattr',`
> + gen_require(`
> + type mount_exec_t;
> + ')
> +
> + allow $1 mount_exec_t:file getattr;
> +')
mount_getattr_executable_file() or something. use permission sets
(getattr_file_perms) and provide access to the location of the mount
executable file (corecmd_search_bin($1)
> +
> +########################################
> +## <summary>
> ## Execute mount in the caller domain.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-new/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.te 2011-01-23 20:46:59.057098397 +0100
> @@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> +ifdef(`distro_redhat',`
> + # needed by /sbin/mount.tmpfs bash script
> + allow mount_t self:fifo_file rw_fifo_file_perms;
> +')
> +
> allow mount_t mount_loopback_t:file read_file_perms;
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> @@ -51,12 +56,17 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> @@ -65,6 +75,7 @@ dev_rw_lvm_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> dev_dontaudit_getattr_memory_dev(mount_t)
> dev_getattr_sound_dev(mount_t)
> +dev_read_usbfs(mount_t)
> # Early devtmpfs, before udev relabel
> dev_dontaudit_rw_generic_chr_files(mount_t)
>
> @@ -108,6 +119,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09ikoACgkQMlxVo39jgT9k6QCeKUwULKR8M+BlnwazqYkgohev
X74AoI/BP3BQ+MENrYIO472Xq8NCyt2Y
=Tr48
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-01-24 14:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-24 0:44 [refpolicy] [PATCH/RFC 5/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:18 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.